Is SoSafe widely deployed outside Germany?

Yes, increasingly. SoSafe's customer base has been historically concentrated in Germany, Austria, Switzerland, and broader Western Europe, but US enterprise deployments have grown through 2023-2025 as US-headquartered firms with EU operations look for GDPR-native awareness platforms. Content-library localisation now covers most major European languages.

What is the German BSI framework relevance?

The German Federal Office for Information Security (BSI) publishes the IT-Grundschutz framework which is the de-facto cyber-control baseline for German enterprises and the German federal government. SoSafe's product alignment with BSI expectations makes it the dominant phishing-training choice in the German federal market and a strong choice for German-regulated industry.

Filing 05.05.00Field 27 APR 2026Classification PublicStatus Open

SoSafe cost: $24 to $72 per user per year, GDPR-native German-vendor pricing

Q: How much does SoSafe cost?

Estimated $24 to $72 per user per year depending on tier and organisation size. Mid-market standalone pricing typically clusters $35 to $55; enterprise volume-discounted pricing typically $28 to $42.

Q: Where is SoSafe based?

Cologne, Germany. Founded in 2018. The German base and EU-default data processing are core to the product positioning, particularly for buyers under GDPR, NIS2, or German BSI cyber-framework expectations.

Q: How does SoSafe compare to Hoxhunt?

SoSafe is generally priced below Hoxhunt at equivalent functional tiers, particularly for mid-market organisations. Both vendors emphasise EU-native data processing and behavioural-change methodology. Hoxhunt has stronger AI-content simulation and per-user behaviour-tracking depth; SoSafe has broader content-library coverage in German and other EU languages.

Q: Does SoSafe have a US-hosted option?

Yes, but EU-hosted is the default deployment. US-hosted is available on request for organisations with specific data-residency requirements or US-government contract obligations. The bulk of SoSafe customers use the EU-hosted default.

SoSafe is the Cologne-based phishing-training platform that has grown rapidly across Western Europe since 2018. Pricing sits between KnowBe4 and Hoxhunt and is particularly attractive for organisations under GDPR, NIS2, or German BSI cyber-framework expectations.

Exhibit A

SoSafe pricing structure and competitive position

SoSafe pricing in 2026 sits at an estimated $24 to $72 per user per year, between KnowBe4 ($20-$60) and Hoxhunt ($32-$90). The competitive position is shaped by two structural factors. First, SoSafe's German-engineering, EU-native data processing posture is structurally attractive for European buyers in a way that the US-headquartered competitors cannot easily match without additional configuration. Second, SoSafe's price point is lower than Hoxhunt at equivalent functional tiers, which makes it the natural EU-native alternative for buyers who want EU-default data residency without paying the Hoxhunt premium.

The pricing estimates on this page are triangulated from European public-tender records (the EU public procurement portal TED, the German federal procurement records on evergabe-online, and equivalent national systems in Austria, Switzerland, and other German-speaking jurisdictions), plus reseller catalogue listings and buyer-community reports. The data quality for SoSafe pricing in the US market is lower than for KnowBe4 or Proofpoint because the US installed base is smaller and there are fewer USASpending records to draw on. The bands cited should be treated as planning estimates with wider uncertainty than the equivalent KnowBe4 or PSAT figures.[TED EU public procurement + evergabe-online + reseller catalogues + buyer-community reports 2023-2025]

Exhibit B

The German base and the BSI framework alignment

REFERENCE

SoSafe was founded in Cologne in 2018 and has grown rapidly across Germany, Austria, Switzerland, and broader Western Europe. The German base is a meaningful product-positioning factor because German enterprises and the German federal government look to the Federal Office for Information Security (BSI) IT-Grundschutz framework as the de-facto cyber-control baseline. SoSafe's product alignment with BSI expectations (in content coverage, in user-data-handling practices, in reporting depth for BSI-conformant audits) makes the platform the dominant phishing-training choice in the German federal market and a strong choice for German-regulated industry.

The implication for non-German buyers is contextual. For US-headquartered firms with German or broader EU operations, SoSafe's BSI-aligned posture is useful for the EU-region deployment but less so for the US deployment. Many multi-region buyers run SoSafe in the EU and a US-headquartered alternative (KnowBe4 or Proofpoint PSAT) in the US, which produces some operational fragmentation but optimises per-region fit. For US-only firms without EU operations the German-base positioning does not apply and the comparative-evaluation focus should be on per-user pricing, content-library coverage, and feature mix versus the dominant US alternatives.

The content library is broader in European languages than the US-headquartered competitors. German, French, Spanish, Italian, Dutch, Polish, and other major European-language coverage is well-developed; smaller European languages (Czech, Hungarian, Greek, Nordic languages) have meaningful coverage that competing vendors frequently lack. The multi-language depth is one of SoSafe's strongest distinguishing capabilities and is particularly valuable for European-headquartered firms with multi-national workforce composition.[BSI IT-Grundschutz framework + SoSafe product literature 2024-2025]

Exhibit C

Worked examples by organisation profile

Organisation profile	Region	Per-user cost	Annual total
500-employee German Mittelstand	EU	$40	$20,000
2,000-employee European mid-market	EU	$36	$72,000
500-employee US mid-market, EU ops	Mixed	$45	$22,500
10,000-employee European enterprise	EU	$32	$320,000
25,000-employee large enterprise	EU + US	$28	$700,000
50,000-employee global enterprise	Multi-region	$25	$1,250,000

Examples use midpoint negotiation outcomes. EU-region pricing is slightly more competitive than US-region pricing because SoSafe's customer-success and sales infrastructure is more mature in Europe. Multi-region deployments add some operational complexity but typically yield strong volume-discount terms.[TED + evergabe-online + reseller catalogues triangulation]

Exhibit D

The EU regulatory tailwind: NIS2, DORA, GDPR enforcement

SoSafe has benefited from a sustained European regulatory tailwind through 2023-2026. The EU NIS2 directive, transposed into national law across EU member states through 2024-2025, requires designated essential and important entities to implement cyber-security risk management measures including awareness training. The compliance bar implicit in NIS2 has driven demand for awareness-training platforms across European mid-market and enterprise segments that previously deferred the investment.

The Digital Operational Resilience Act (DORA), applicable from January 2025 to EU financial-services entities and their critical third-party ICT providers, adds an additional regulatory layer that includes awareness-training expectations. DORA's third-party-risk-management provisions also create demand for awareness-training-vendor due-diligence which favours vendors who can demonstrate GDPR-native posture and EU-data-residency by default. SoSafe is structurally well-positioned for this demand.

GDPR enforcement through 2023-2025 has continued to produce material fines for inadequate data-handling practices, with cyber-event-driven enforcement actions a meaningful share of total enforcement. The fine schedule (up to 4% of annual global turnover under Article 83(5)) means that any cyber-control choice that affects post-event regulator-relationship dynamics is consequential. EU-native vendors are perceived (correctly or not) as carrying less regulator-relationship risk than US-headquartered vendors in EU-data-handling contexts. The perception drives a structural pricing-and-procurement advantage for SoSafe in European enterprise procurement that is unlikely to fade through the near-term.[EU NIS2 (Directive 2022/2555) + DORA (Regulation 2022/2554) + GDPR enforcement docket 2023-2025]

Exhibit E

The behaviour-change methodology and content approach

SoSafe's methodology places relatively more emphasis on positive-reinforcement behavioural-change than the gamification-light approaches of older awareness-training platforms. The platform delivers short-format training interventions (typically 2-5 minutes) immediately after a user interacts with a simulation, with feedback framed as learning rather than failure. The approach is theoretically grounded in behavioural-science research on habit formation and aligns with the methodology direction that Hoxhunt also emphasises (though through somewhat different product-design choices).

The practical impact on click-rate reduction over time is broadly comparable to other major awareness-training platforms. Published outcomes show 40 to 60 percent reduction in baseline-bulk-phishing click rates over 18 to 24 months of sustained program use, in line with KnowBe4 and Proofpoint PSAT figures. Reduction against AI-grade phishing is materially lower (as it is for all training platforms) and the strongest defence remains pairing awareness training with phishing-resistant MFA, behavioural email security, and a documented incident-response capability.

SoSafe's content authoring is done in-house by a team based in Cologne and other EU offices, which produces content that resonates well with European workforce culture and language norms. US buyers occasionally report that the SoSafe content feels less culturally-tuned to US workforce contexts than KnowBe4 or Proofpoint PSAT content, which is unsurprising given the vendor origin. Multi-region buyers should evaluate content fit in each region separately rather than assuming uniform applicability across the workforce.[SoSafe product literature 2024-2025 + Forrester Wave Security Awareness Training 2024 EMEA section]

Exhibit F

What buyers should ask before signing the SoSafe contract

Is EU-hosted or US-hosted the right deployment?

Default is EU-hosted. For US-only operations or US-government contracts, request US-hosted; confirm operational maturity at the US-hosting tier.

What is the per-user pricing including volume discount?

Compare against KnowBe4 Diamond and Hoxhunt enterprise at the same volume. SoSafe typically prices between the two; the discount-curve slope matters for multi-region commitments.

Which European languages are covered to your standard?

SoSafe has broader European-language coverage than US-headquartered competitors but content quality varies by language. Spot-check content in your primary deployment languages.

What is the BSI / NIS2 / DORA conformance reporting?

If you are subject to BSI IT-Grundschutz, NIS2, or DORA, SoSafe's conformance-reporting depth is a real differentiator. Confirm the reporting templates available.

What is the customer-success engagement?

SoSafe customer-success is typically higher-touch than KnowBe4. Confirm engagement level included at offered tier.

What is the multi-year discount and renewal-price posture?

3-year and 5-year commitments yield meaningful discount. Confirm renewal-price cap to avoid auto-renewal at list price.

Exhibit G

Frequently filed questions

ON RECORD

How much does SoSafe cost?[open]

Estimated $24-$72 per user per year. Mid-market typically $35-$55; enterprise volume-discounted $28-$42. Between KnowBe4 and Hoxhunt at equivalent tiers.

Where is SoSafe based?[open]

Cologne, Germany. Founded 2018. Default deployment is EU-hosted. GDPR-native by design.

How does SoSafe compare to Hoxhunt?[open]

Generally priced below Hoxhunt at equivalent tiers. Both emphasise EU-native data processing. Hoxhunt has stronger AI-content simulation and per-user behaviour-tracking depth; SoSafe has broader European-language content-library coverage.

Is SoSafe relevant for US buyers?[open]

For US-headquartered firms with EU operations, yes. For US-only firms without EU operations, the German-base positioning does not apply and US-headquartered alternatives may be more culturally-tuned.

What is the BSI framework relevance?[open]

The German Federal Office for Information Security (BSI) IT-Grundschutz framework is the de-facto cyber-control baseline for German enterprises and federal government. SoSafe alignment is a real differentiator in the German market.

Does SoSafe have a US-hosted option?[open]

Yes, on request. Default is EU-hosted. Bulk of customers use the EU-hosted default.

Is SoSafe effective?[open]

Yes. Click-rate reduction outcomes consistent with the industry benchmark of 40-60% over 24 months. Reduction against AI-grade phishing is lower (as it is for all training platforms).

Exhibit H